Custom roles and role precedence

Hi All,

The docs about roles are very basic and don’t solve all of my doubts about creating new roles.

As it specifies three levels: global, clusters and projects and you can have on role inherent form some that exists, what is the precedence of the roles inside a role?

For exmaple, I want to create a new role that is a regular project user without the ability to create new namespaces. Below is the print of that role:

But when I associate it to a new user, it can create new namespaces despite the explicity verbs of the role don’t allow it.

Another question is, when using the default, out-of-box, role Project-Member, the user cannot see all namespaces, when I create a new one from scratch the user can see all the namespaces, how can I restrict the namespaces the user can see?

Thanks.

1 Like

Roles grants are purely additive. There is no precedence. You just get a union of all the grants. This is how it is implemented in kubernetes. To clarify this in the docs, I’ve opened this PR: https://github.com/rancher/docs/pull/356/files

Yes, in this case, you cannot inherit from the project member role because of the additive property. You would have to create a custom role that mimics the project member role (minus the create namspace grant) but does not inherit from it.

To build a mimic of the project member role, you can either view it in the UI at https://<your rancher>/g/security/roles/project-member or see it in the API at https://<your rancher>/v3/roleTemplates/project-member

Also, in investigating this issue, I noticed a bug in the display of the Project Member role. If you start looking at the role in the UI, I don’t want you to be thrown off, so I’m calling it out for you here. Here’s the issue I opened for it: https://github.com/rancher/rancher/issues/14228
The role that project-member is inheriting from is just “edit”.

Since you aren’t the only person who is going to want to do something like this, I’ve opened this feature request to make this process easier, though I can’t guarantee when/if it will get done: https://github.com/rancher/rancher/issues/14229

The problem is that you are granting list on namespaces. List is effectively global. Actually, you should drop the namespace grant entirely. The framework will always grant view access to the namespaces for the project where the role is being assigned.

2 Likes

@cjellick, thanks for your very well explained answer.

To me there is something more that is the default behaviour, that is anoying.

When one user first login to Rancher it receives the Standard User grant. This role cannot be changed nor specify an default grant for new users. In my case I need to drop the create clusters feature for users by default. There is a place that I can do that?

My sugestion is to have an option on settings screen to specify the default role for new users, maybe by auth method if it is internal or external.

I’ve tried to create a new role for global settings but it is not possible, or I cannot do it by UI.

Thanks.

Agreed! We’ve opened an issue for this:

This is relatively high on our list of issues to address, but it does have to compete with other bugs and features for bandwidth, so I can’t say exactly when it will get done.

1 Like